From 053b42158e2f887b54a3e87977303d219530082f Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 30 Aug 2011 07:43:00 +0200 Subject: [PATCH] [Templating] added better support for encoding problems when escaping a string (available as of PHP 5.4) From the PHP CHANGELOG: The flag ENT_SUBSTITUTE makes invalid multibyte sequences be replaced by U+FFFD (UTF-8) or &#FFFD; by htmlspecialchars and htmlentities. It is an alternative to the default behavior, which just returns an empty string and to ENT_IGNORE, which is a security risk. The behavior follows the recommendations of Unicode Technical Report #36. --- src/Symfony/Component/Templating/PhpEngine.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/Templating/PhpEngine.php b/src/Symfony/Component/Templating/PhpEngine.php index de41affd2a..521ae61085 100644 --- a/src/Symfony/Component/Templating/PhpEngine.php +++ b/src/Symfony/Component/Templating/PhpEngine.php @@ -17,6 +17,10 @@ use Symfony\Component\Templating\Storage\StringStorage; use Symfony\Component\Templating\Helper\HelperInterface; use Symfony\Component\Templating\Loader\LoaderInterface; +if (!defined('ENT_SUBSTITUTE')) { + define('ENT_SUBSTITUTE', 8); +} + /** * PhpEngine is an engine able to render PHP templates. * @@ -440,7 +444,7 @@ class PhpEngine implements EngineInterface, \ArrayAccess { // Numbers and Boolean values get turned into strings which can cause problems // with type comparisons (e.g. === or is_int() etc). - return is_string($value) ? htmlspecialchars($value, ENT_QUOTES, $that->getCharset(), false) : $value; + return is_string($value) ? htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, $that->getCharset(), false) : $value; }, 'js' =>